diff options
| author | Daniil Baturin <daniil@baturin.org> | 2018-06-24 13:35:44 +0200 |
|---|---|---|
| committer | Daniil Baturin <daniil@baturin.org> | 2018-06-24 13:35:44 +0200 |
| commit | c2f8d1a44defeadefcda560ba8a3883e25e24831 (patch) | |
| tree | 1eead2a9118b556932ca10e398d8d94f510b70ac /scripts/key-pair.template | |
| parent | a88aa2e1a16e1ac1af1fa3b19cb2b88c7783af37 (diff) | |
| parent | 9324923d31d389110e2ab882a035982e2b269417 (diff) | |
| download | vyatta-op-vpn-lithium.tar.gz vyatta-op-vpn-lithium.zip | |
Merge branch 'current' into lithiumlithium
Conflicts:
lib/OPMode.pm
scripts/vyatta-show-ipsec-status.pl
templates/show/vpn/ipsec/sa/node.def
templates/show/vpn/ipsec/sa/peer/node.def
templates/show/vpn/ipsec/status/node.def
Diffstat (limited to 'scripts/key-pair.template')
| -rw-r--r-- | scripts/key-pair.template | 46 |
1 files changed, 43 insertions, 3 deletions
diff --git a/scripts/key-pair.template b/scripts/key-pair.template index 5b5b2a6..bbf5eb9 100644 --- a/scripts/key-pair.template +++ b/scripts/key-pair.template @@ -1,10 +1,15 @@ [ req ] - default_bits = 1024 + default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name + string_mask = utf8only attributes = req_attributes + dirstring_type = nobmp +# SHA-1 is deprecated, so use SHA-2 instead. + default_md = sha256 +# Extension to add when the -x509 option is used. x509_extensions = v3_ca - dirstring_type = nobmp + [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_min = 2 @@ -24,4 +29,39 @@ [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always - basicConstraints = CA:true + basicConstraints = critical, CA:true + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + basicConstraints = critical, CA:true, pathlen:0 + keyUsage = critical, digitalSignature, cRLSign, keyCertSign +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = client, email + nsComment = "OpenSSL Generated Client Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment + extendedKeyUsage = clientAuth, emailProtection +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). + basicConstraints = CA:FALSE + nsCertType = server + nsComment = "OpenSSL Generated Server Certificate" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = critical, digitalSignature, keyEncipherment + extendedKeyUsage = serverAuth +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). + authorityKeyIdentifier=keyid:always +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer + keyUsage = critical, digitalSignature + extendedKeyUsage = critical, OCSPSigning
\ No newline at end of file |